Read our September Newsletter, out now! Find out more about the EDPS' Supervisory Opinions on Frontex; the CLOUD Act; our work on Artificial Intelligence and the Fediverse; and more!
In this issue
Have you heard about the CLOUD Act?
The CLOUD Act, or the American Clarifying Lawful Overseas Use of Data Act, is a United States’ (U.S.) federal law that came into force in March 2018. Amending the U.S. Stored Communications Act (SCA), the CLOUD Act allows the U.S. government, with a court order, to access electronically stored communication data located in a private entity subject to U.S law but located outside the U.S., providing that this data is relevant to an ongoing criminal investigation. The CLOUD Act also allows for bilateral agreements to be concluded between the U.S and another country, such as a country in the EU or European Economic Area, to exchange personal data or to have access to each country’s respective data for law enforcement purposes.
Concretely, entities in the EU, including EU institutions, bodies, offices and agencies, could be subject to the U.S. Cloud Act if they use services, such as web services, that have a link with the U.S or are based in the U.S. for example. Any direct or indirect corporate link between an EU entity and a U.S. entity could be subject to the CLOUD Act. It is equally important that the controllers, joint-controllers, processors and joint processors in charge of deciding how and for what purposes personal data may be processed do not have corporate links with U.S companies either.
Other, but perhaps less obvious, ways in which EU entities could be subject to the CLOUD Act are:
- the EU entity in question actively targets U.S. consumers through specific advertising or by creating a dedicated website, providing tailored services to appeal to U.S customers;
- the EU entity in question does not specifically target U.S. consumers but nevertheless has U.S customers, which generates revenue and provides insight into U.S. consumers’ behaviour.
On the contrary, the following circumstances do not necessarily mean that the EU entity in question would be subject to the CLOUD Act:
- if the EU entity actively avoids targeting U.S. consumers by blocking access to its website for example, but has contacts with U.S. consumers;
- if a third party uses or sells an EU entity’s products and services in the U.S., but the EU entity itself does not target U.S. consumers.
These developments reconfirm the importance of seeking alternative services, such as cloud and web services, based in the EU, to ensure that individuals’ personal data is processed according to EU data protection law and EU values.
Are you familiar with the EDPS’ work?
The Executive Summary of the EDPS Annual Report 2021 is now available in all official languages of the EU!
In this Executive Summary, you can find out more about our most significant work and activities as the supervisory authority of the EU institutions, bodies, offices and agencies. In particular:
- our work on international transfers of personal data;
- our continuous monitoring of new technologies and their impact on data protection;
- our supervision of the bodies and agencies that are part of the Area of Freedom Security and Justice;
- the Opinions that we delivered as an advisor to the EU Legislator on data protection;
- our initiatives, such as TechSonar, that aim to help embed privacy throughout the development of new and emerging technologies.
A network for sustainable farming
On 11 August 2022, the EDPS issued an Opinion on a proposed Regulation for a Farm Sustainability Data Network (FSDN).
The FSDN aims to expand the scope of the Farm Accountancy Data Network (FADN), a public database that collates annually aggregated data from crop and livestock farms to assess the economy of farms and rural areas within the EU Member States and at EU level. In addition to the data already collected in the FADN, the Farm Sustainability Data Network (FSDN) would include environmental data linked to soil, air, water and biodiversity, as well as data related to the social dimension of farming. Data collected and encoded into the FSDN may include the identity, address, location of farmers and farms; this information amounts to personal data.
The data collected in the FSDN would serve as a basis for the European Commission and relevant Agencies to draft reports that would contribute to the EU’s Common Agricultural Policy, the Green Deal, and other existing or future initiatives concerning agriculture, farming and sustainability. It is also planned that this data may be used to provide personalised advice, advisory services and feedback to farmers to improve their sustainability.
In this regard, the EDPS welcomes that this data, shared with and between the European Commission and relevant Agencies, would be anonymised or pseudonymised, highlighting that these are important techniques to mitigate data protection risks for individuals. Nevertheless, the EDPS points out, in its Opinion, that anonymisation and pseudonymisation are two different techniques. While the process of anonymising data means that this data cannot be related to an identified or identifiable individual, the process of pseudomynising data means that this data could be reattributed to a specific individual with the use of additional information. Therefore, pseudonymised data would be considered as personal data. Taking into account these meaningful differences that may impact the secure way in which personal data is processed, the EDPS recommends that the proposed Regulation clarifies how, and in what form, this data may be exchanged, with the aim of prioritising the protection of farmers’ personal data and privacy.
Similarly to the FADN, data included in the Farm Sustainability Data Network (FSDN) is to be made publically available, according to its proposed Regulation. The EDPS underscores that rendering the data included in the FSDN public strictly depends on whether this data would serve the objective of public interest, and on whether making this data public is necessary and proportionate in light of the objectives of this proposed Regulation. Taking into account these mandatory criteria, the EDPS indicates in its Opinion that sharing FSDN data publically for the objective of transparency or for the objective of contributing to the assessment of the EU’s agriculture policy are not considered as objectives of public interest that would justify the publication of this data.
As a general remark, the EDPS recommends that the types of personal data, the way this data is processed, such as the technical tools and other safeguards used for its processing, as well as the roles and responsibilities of those processing this data are specifically addressed in the proposed Regulation for a Farm and Sustainability Network (FSDN).
What is an EDPS Opinion? Find out here.
EU-Japan Economic Partnership Agreement
On 9 August 2022, the EDPS issued an Opinion on planned negotiations to include provisions on cross-border data flows in the EU’s Agreement for an Economic Partnership with Japan.
The EU’s Economic Partnership agreement with Japan was signed in July 2018 with the aim to remove the vast majority of import and export taxes paid by companies in the EU and Japan, and to remove other technical and regulatory barriers to trade.
Like many other partnerships of this nature, the EU-Japan Economic Partnership may involve the exchange and processing of individuals’ personal data. This may include, for example, tax data, information on the identity of company holders, data linked to financial assets and asset holders, public health data.
In this context, the European Commission granted Japan an adequacy decision that recognises Japan as providing an adequate level of protection for individuals’ personal data according to EU law and standards. This adequacy decision means that transfers of personal data may occur from the EU to Japan without the need for further authorisations, therefore prioritising the protection of individuals and their data, as well as facilitating this economic partnership contributing to the EU’s growth.
Against this background, the EDPS recommends in its Opinion to further explain why, despite the Adequacy Decision granted to Japan, further negotiated provisions for cross-border data flows are considered necessary.
The EDPS welcomes that, according to the European Commission, such provisions should be coherent with the horizontal provisions for cross-border data flow in EU trade and investment agreements, published by the European Commission in July 2018.
The horizontal provisions cement the involved parties’ commitment to upholding the fundamental rights to data protection and privacy in the context of cross-border data flows. In practice, these horizontal provisions aim to strike the right balance between public and private interests that would allow the EU to tackle protectionist practices that may occur in non-EU/EEA countries in relation to digital trade, while ensuring that trade agreements, like the EU-Japan Economic Partnership, are not used to challenge the fundamental right to data protection.
Concluding its Opinion, the EDPS recommends clarifying that the future negotiated provisions should not prevent the EU or the EU Member States from adopting, in duly justified cases, measures that would require controllers or processors to store personal data in the EU/EEA.
Proposal to combat child sexual abuse online presents serious risks for fundamental rights
On 29 July, the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) adopted a Joint Opinion on the Proposal for a Regulation to prevent and combat child sexual abuse. The Proposal aims to impose obligations related to detecting, reporting, removing and blocking known and new online child sexual abuse material (CSAM), as well as the solicitation of children, on providers of hosting services, interpersonal communication services, software application stores, internet access services and other relevant services.
The EDPB and EDPS consider child sexual abuse as a particularly serious and heinous crime. Limitations to the rights to private life and data protection must, however, respect the essence of these fundamental rights and remain limited to what is strictly necessary and proportionate. The EDPB and EDPS consider that the Proposal, in its current form, may present more risks to individuals, and, by extension, to society at large, than to the criminals pursued for CSAM. Whilst supporting the goals and intentions behind the Proposal, the EDPS and EDPB express serious concerns about the impact of the envisaged measures on individuals’ privacy and personal data. The lack of detail, clarity and precision of the conditions for issuing a detection order for CSAM and child solicitation does not ensure that only a targeted approach to CSAM detection will effectively take place. There is a risk that the Proposal could become the basis for a generalised and indiscriminate scanning of content of virtually all types of electronic communications. The EDPB and EDPS advise that the conditions for issuing a detection order should be further clarified.
TechSonar #2 out now!
A year ago, the EDPS launched a new initiative, the TechSonar reports.
TechSonar aims to anticipate emerging technology trends to better understand their future developments, especially their potential implications on data protection and individuals’ privacy. More than that, last year the EDPS set itself the goal of observing and analysing about 5 to 6 trends each year. In 2021, the selected technology trends were: smart vaccination certificates; synthetic data; central bank digital currency; just walk out technology; biometric continuous authentication; and digital therapeutics, which you can read up on here.
Now back with its second TechSonar edition, the EDPS has selected the following 5 emerging trends that you can discover or learn more about. These are: Fake News Detection; Central Banking Digital Currency; the Metaverse; Federated Learning; and Synthetic Data.
You can now delve deeper into how automated fact-checking tools can help combat fake news, but also learn about the challenges that these tools may bring. Navigate the ways Central Banking Digital Currency can be developed through a decentralised or centralised approach, and what this may mean for individuals’ privacy. Explore the metaverse and what it can offer; learn about federated learning as a new way of developing machine-learning models; whether synthetic data can really contribute to mitigate biases and help combat different forms of discrimination; and more.
The TechSonar reports confirm the EDPS’ ambition to prepare, as much as possible, for technological evolutions by attempting to map out some of the diverse set of plausible scenarios that emerging technologies may create. It is the EDPS’ conviction that projects like TechSonar and conversations with experts from the technology, legal and data protection fields are necessary to carry out its mission of supervising and regulating the use of technologies in a way that prioritises the protection of individuals’ fundamental rights, details Supervisor Wojciech Wiewiórowski in a blogpost explaining the ethos of TechSonar, published on 27 July 2022.
TechDispatch #1/2022 - Federated Social Media Platforms
On 26 July 2022, the Technology and Privacy Unit of the EDPS issued its first TechDispatch edition of the year 2022 on the topic of Fediverse and Federated Social Media Platforms.
Since its creation in 2019, each TechDispatch edition aims to provide a factual description of an emerging technology, as well as an analysis of its impact on data protection and individuals’ privacy.
The Fediverse consists of many social media platforms that are both independent from each other as well as being interoperable with one and another, therefore allowing users to interact with each other across different platforms. Because of the nature of these social media platforms, they are also known as federated social media platforms.
In its TechDispatch, the EDPS breaks down some of the advantages, opportunities and challenges that federated social media platforms present in the context of data protection, and how these compare to traditional centralised, non-interoperable social media platforms.
As an example, the decentralised and independent characteristics of federated social media platforms bring some positives. If one of the federated social media platforms suffers from a data breach, the risks for individuals’ personal data is contained and limited to one platform rather than thousands of individuals of an otherwise centralised platform being put at risk. There may also be a lower incentive for malicious cyber-attacks as a result. In addition, by being independent, federated social media platforms can each choose how to collect funding to support their development, therefore limiting their reliance on big advertising that often involves the profiling of users for behavioural advertisements, a revenue channel often used by centralised platforms.
What can be observed currently is that federated social media platforms have a hands-on approach to data protection compliance, to dealing with individuals requests, such as requests to delete personal data, for example. However, for some smaller federated social media platforms, it may be a challenge to source the necessary expertise, knowledge and technical support to be privacy compliant.
Curious to know more? Uncover more aspects of federated social media platforms in the EDPS’ TechDispatch edition, available now on the EDPS website.
AI and I: A three-step approach to Artificial Intelligence
What is Artificial Intelligence (AI)? Well, it is a complex concept, hard to define, challenging to understand, but what is sure is that it is seeping into our everyday lives, and growing exponentially.
The multi-layered complexity of AI is perhaps what sparked curiosity amongst the European Data Protection Supervisor (EDPS) and European Data Protection Board (EDPB) trainees of February to July 2022, and the reason why they decided to produce a three-part podcast series on this topic. Episodes are available on the EDPS website here.
The EDPS and EDPB trainees gathered a variety of experts from law, academia, data protection and from the tech industry to help define AI, how it works, how AI should be regulated, its opportunities, but also its impact on individuals’ fundamental rights to privacy and personal data.
AI-based technologies have the potential to alter society’s way of living, both in a positive and negative way. AI can provide solutions in different areas, such as in the health or education sector. AI can also be a tool to help make decisions, even the most important ones, more efficiently. This is particularly relevant in employment by sifting automatically through candidates’ job applications, or interrogating databases to combat or prevent crime, as well as for purposes of automated-decision making in the context of border control management, to name a few examples.
But, the use of AI also means the processing of huge volumes of data: individuals’ data, our data. This comes with risks that must be mitigated with appropriate laws, technological safeguards, and collaboration within the EU and beyond, to help shape AI now and in the future in a way that protects individuals, their fundamental rights, their privacy.
Listen to the podcast to hear experts share their views on AI and AI-based technologies, and learn about concrete solutions to make AI privacy compliant.
What is a digital identity? Are digital identity solutions compatible with data protection?
With a large portion of our lives managed and spent online, for example when using online banking, or carrying out other administrative steps, we leave a considerable amount of digital traces behind us which make up, more or less accurately, our digital identity - our identity online. We sometimes use this digital identity to demonstrate who we are when signing into our various online accounts to obtain an authorised access to specific services, such as access to a governmental interface to pay our taxes.
Having a digital identity may mean that a considerable amount of our personal data may be used, or even sometimes misused, by different actors. It is therefore important to continuously build systems and find solutions that foster trust and accountability to prevent mass surveillance and protect individuals and their fundamental rights, including their rights to privacy and data protection, online. This is exactly the topic that was discussed during the EDPS’ most recent IPEN workshop, co-organised with the Cardinal Stefan Wyszyński University in Warsaw, Poland, on 22 June 2022.
IPEN, or Internet Privacy Engineering Network, set up by the EDPS in 2014, organises workshops that bring together developers, engineers and data protection experts from various backgrounds to launch and support projects that build privacy into everyday tools, and to develop new tools that can effectively protect and enhance individuals’ privacy.
During the IPEN workshop, participants exchanged views on the compatibility of digital identity solutions with data protection by drawing on examples of various initiatives that exist at EU level and within the EU Member States, such as the European Digital Framework initiative. With these examples, participants highlighted the challenges and opportunities that digital identity solutions bring, as well as the requirements and measures to adopt to embed privacy and data protection principles into these solutions.
The EDPS looks forward to furthering discussions on this topic to help inform its work as the advisor of the EU legislator and as the data protection authority of EU institutions, bodies, offices and agencies.
The EDPS looks forward to organising other IPEN workshops with the aim to integrate data protection by design and by default in the development of technologies.
You can find out more about this workshop by reading the blogpost, available here.
Detailed information on the IPEN Workshop on Digital Identity can be found here.
For more information on our previous and upcoming IPEN workshops, visit the EDPS website here.
EDPS issues Supervisory Opinions on Frontex
The EDPS issued on 7 June 2022 two Supervisory Opinions regarding Frontex, the European Border and Coast Guard Agency contributing to the effective management of European borders.
Supervisory Opinions are either issued on the EDPS’ own-initiative or at the request of an EU institution, body, office or agency (EUI) on various data protection matters, typically on how an EUI processes individuals’ personal data in its day-to-day work.
The first Supervisory Opinion concerns Frontex’s Internal Rules applicable to all of its personal data processing activities. Whilst the second Supervisory Opinion concerns Frontex’s personal data processing activities related to the identification of suspects involved in cross-border crimes.
In both Supervisory Opinions, the EDPS remarks that Frontex’s Internal Rules are not sufficiently clear, and, therefore, recommends that the following aspects are clarified:
- the purposes for which individuals’ personal data may be processed;
- the categories of individuals that may have their personal data processed;
- the categories of personal data that may be processed;
- information on controllers or categories of controllers who may process individuals’ personal data;
- data protection safeguards to prevent abusive or unlawful access to individuals’ personal data;
- the time period during which individuals’ personal data will be stored.
Clarifying the aforementioned aspects is a requirement stemming from the EU Charter of Fundamental Rights, to ensure that individuals’ rights to privacy and personal data protection are protected at all times.
Specifically in its second Supervisory Opinion, the EDPS notes that several internal rules seem to expand Frontex’s role and scope as a law enforcement authority. According to the Treaty on the Functioning of the EU, Frontex’s role is to ensure the management of European borders, specifically in the areas of border checks, asylum and migration, and is not responsible for preventing and combatting serious crimes, for which another EU agency is in charge of, highlights the EDPS. Therefore, any activities related to preventing and combatting serious forms of crime should be considered as a secondary action as a way of supporting the EU Agency in charge of such tasks. These differentiations should be accurately reflected in Frontex’s external rules, writes the EDPS.
The EDPS recalls that special categories of personal data, such as individuals’ health data, data revealing racial or ethnic origin, genetic data, can only be processed if this can be legally justified. These special categories of data also need to be protected with specific safeguards to avoid discriminatory practices.